<html>
<head><meta charset="utf-8"><title>Error-Handling in FFI context · project-error-handling · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/index.html">project-error-handling</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html">Error-Handling in FFI context</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="211183888"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211183888" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211183888">(Sep 24 2020 at 20:12)</a>:</h4>
<p>I wish this is not duplicated. I found an annoying pain-point: Error Handling in FFI.</p>
<hr>
<p>First, for <code>recoverable error</code>itself, its handling in FFI context is not much different from the general case.<br>
But I'd like to get more guides on how to turn the convert between a Rust <code>recoverable error</code> to its  C counterpart.</p>
<p>Specifically,  C doesn't have a native error handling paradigm, but there are a few common practices. For example, using error code to represent an error type, or using a string buffer provided by the caller to write error message in.</p>
<p>So for example, it would be helpful to know how to cut the boilerplate codes on the conversion.<br>
It's also helpful to if Rust adopters to adopt some some practices, instead of using their own makeshift representation of C-compatible error types.</p>
<hr>
<p>For <code>unrecoverable error</code>, correct me if I were wrong, it's at least a synonym to, if not identical to, panic in most context.<br>
But panic in FFI context is really annoying since it's intertwined with memory management and safety.</p>
<ul>
<li>One solution to tackle this issue is to use a <code>std::panic::catch_unwind</code> to contain it in a "sandbox". But this has two issue.<br>
    - First the trait bound on <code>UnwindSafe</code> is implemented for <code>Sync + Send</code> types. I'd like more details and examples on when <code>AssertUnwindSafe</code> wrapper could and could not be used.<ul>
<li>Second, the documentation mentioned that it cannot catch panics which <em>abort the process</em>. But it'd be really helpful, especially beginners, if the documentation elaborates on how to verify this. Otherwise it's for people to confidently use <code>catch_unwind</code>.</li>
</ul>
</li>
<li>Another common practice is to utilize edition 2018's feature <a href="https://doc.rust-lang.org/edition-guide/rust-2018/error-handling-and-panics/aborting-on-panic.html"><code>aborting on panic</code></a>.  This is not wrong by itself, and is actually recommended in some sources I read. But is this really advisable, given that the memory may be not freed?</li>
</ul>



<a name="211191460"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211191460" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211191460">(Sep 24 2020 at 21:21)</a>:</h4>
<p><span class="user-mention" data-user-id="346097">@Lucius Hu</span> I think improving interoperability with C error handling is quite relevant to the project group and probably something we should look into.</p>



<a name="211191529"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211191529" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211191529">(Sep 24 2020 at 21:22)</a>:</h4>
<p>as for the panic handling, I think this is potentially something we could look into but might be something that is better handled by project-ffi-unwind</p>



<a name="211191538"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211191538" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211191538">(Sep 24 2020 at 21:22)</a>:</h4>
<p>Generally though Rust can't enforce safety inside another language</p>



<a name="211191608"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211191608" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211191608">(Sep 24 2020 at 21:23)</a>:</h4>
<p>Wouldn't panic handling effectively attempt to do that?</p>



<a name="211191610"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211191610" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211191610">(Sep 24 2020 at 21:23)</a>:</h4>
<p>true. But we should promote good practice to make things right on Rust side</p>



<a name="211191656"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211191656" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211191656">(Sep 24 2020 at 21:23)</a>:</h4>
<p>So wrapping unsafe in a panic handler</p>



<a name="211191912"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211191912" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211191912">(Sep 24 2020 at 21:26)</a>:</h4>
<p>C does also have a method for native 'faux'-error handling which is the compiler as does the Rust compiler which can identify unsoundness</p>



<a name="211192117"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211192117" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211192117">(Sep 24 2020 at 21:28)</a>:</h4>
<p>So we cannot prevent error on the other side of FFI boundary, but we need to make sure errors occured  in Rust is managed properly.</p>
<ul>
<li>If Rust is calling a C library and C panics, we can not free the memory issues created by C, but we could probably do better on <code>reporting error</code> and relies on Rust's memory safety so at least memory managed on Rust side is properly freed.</li>
<li>If a C program is calling a Rust library, that's what we have more controls. For example <code>ffi_support</code> crate used by Mozilla relies on <code>panic_unwind</code> to turn panic into (recoverable) error, so that the C side could properly free the memory. ( Otherwise if C side also panics that's really an issue )</li>
</ul>



<a name="211192314"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211192314" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211192314">(Sep 24 2020 at 21:30)</a>:</h4>
<p>in short we cannot enforce any safety rules on other languages, but we need to minimize the chance memory safety issues could raise, by doing things right on Rust side.</p>



<a name="211192379"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211192379" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211192379">(Sep 24 2020 at 21:31)</a>:</h4>
<p>i believe this is what project-ffi-unwind is trying to do maybe</p>



<a name="211192387"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211192387" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211192387">(Sep 24 2020 at 21:31)</a>:</h4>
<p>not sure</p>



<a name="211192391"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211192391" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211192391">(Sep 24 2020 at 21:31)</a>:</h4>
<p>should check the charter</p>



<a name="211192445"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211192445" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211192445">(Sep 24 2020 at 21:31)</a>:</h4>
<p><a href="https://github.com/rust-lang/project-ffi-unwind/blob/master/charter.md">https://github.com/rust-lang/project-ffi-unwind/blob/master/charter.md</a></p>



<a name="211192451"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211192451" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211192451">(Sep 24 2020 at 21:31)</a>:</h4>
<p>cc <span class="user-mention" data-user-id="120076">@BatmanAoD (Kyle Strand)</span></p>



<a name="211192499"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211192499" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211192499">(Sep 24 2020 at 21:32)</a>:</h4>
<p>thx</p>



<a name="211192524"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211192524" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211192524">(Sep 24 2020 at 21:32)</a>:</h4>
<p>and <a href="https://github.com/rust-lang/project-ffi-unwind/blob/master/rfcs/0000-c-unwind-abi.md">https://github.com/rust-lang/project-ffi-unwind/blob/master/rfcs/0000-c-unwind-abi.md</a></p>



<a name="211192531"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211192531" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211192531">(Sep 24 2020 at 21:32)</a>:</h4>
<p>but there's some overlapping parts for error-handling too</p>



<a name="211192554"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211192554" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211192554">(Sep 24 2020 at 21:33)</a>:</h4>
<p>for sure, I just want to be careful about duplicating effort</p>



<a name="211192558"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211192558" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211192558">(Sep 24 2020 at 21:33)</a>:</h4>
<p>project-ffi-unwind is a lang team project idk what that implies</p>



<a name="211195106"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211195106" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211195106">(Sep 24 2020 at 22:03)</a>:</h4>
<p>I guess I don't know all of the context behind <code>unsafe</code> but it seems to me that<br>
one isn't meant to be using it to introduce unsoundness</p>



<a name="211206808"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211206808" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211206808">(Sep 25 2020 at 00:40)</a>:</h4>
<blockquote>
<p>project-ffi-unwind is a lang team project idk what that implies</p>
</blockquote>
<p>It requires a lot of work on the parts of the codebase that's part of the lang team (while this project is under the libs team)</p>



<a name="211206923"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211206923" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211206923">(Sep 25 2020 at 00:43)</a>:</h4>
<p>it was a rhetorical question but thanks for your input</p>



<a name="211206934"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211206934" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211206934">(Sep 25 2020 at 00:43)</a>:</h4>
<p>for your reference questions in the english language typically end in a <code>?</code> mark</p>



<a name="211207014"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211207014" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211207014">(Sep 25 2020 at 00:45)</a>:</h4>
<p>rhetorical meaning not requiring a response not intended to further the discussion</p>



<a name="211207417"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211207417" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211207417">(Sep 25 2020 at 00:53)</a>:</h4>
<p>i know what's a rhetorical question, but in chat applications people often tend to omit the <code>?</code> even for normal questions</p>



<a name="211219782"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211219782" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Ashley Mannix <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211219782">(Sep 25 2020 at 05:22)</a>:</h4>
<blockquote>
<p>for your reference questions in the english language typically end in a ? mark</p>
</blockquote>
<p><span class="user-mention" data-user-id="281739">@Oliver</span> I'm sure it wasn't meant this way but this can come across as a bit condescending when we only have text to work with. Let's all try keep on topic, with language discussion focused on the ones we program in <span aria-label="smile" class="emoji emoji-1f642" role="img" title="smile">:smile:</span></p>



<a name="211381446"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211381446" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211381446">(Sep 26 2020 at 20:33)</a>:</h4>
<p>Hi, I'll try to explain my views on the scope of the FFI-unwind project as it pertains to error-handling conventions. <span class="user-mention" data-user-id="220273">@Jane Lusby</span>, thanks for tagging me.</p>
<p>First, though,  <span class="user-mention" data-user-id="346097">@Lucius Hu</span>, I'd like to understand what you mean by <code>recoverable error</code> and <code>unrecoverable error</code>. I think of those as purely "conceptual", i.e., they're not referring to specific language features but to an idea of how certain errors can or cannot be handled. I think this is how you mean it as well, but this part of your first post confuses me:</p>
<p><span class="user-mention silent" data-user-id="346097">Lucius Hu</span> <a href="#narrow/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context/near/211183888">said</a>:</p>
<blockquote>
<p>For <code>unrecoverable error</code>, correct me if I were wrong, it's at least a synonym to, if not identical to, panic in most context.</p>
</blockquote>
<p>I would agree that <code>panic</code> is the best mechanism for handling errors that the programmer thinks are not recoverable, and I suspect that this is a fairly widely-shared consensus in the community. Is that what you're suggesting here?</p>
<p>I think I can also clarify the connection between <code>panic</code> and aborting:</p>
<p><span class="user-mention silent" data-user-id="346097">Lucius Hu</span> <a href="#narrow/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context/near/211183888">said</a>:</p>
<blockquote>
<p>- Second, the documentation mentioned that it cannot catch panics which <em>abort the process</em>. But it'd be really helpful, especially beginners, if the documentation elaborates on how to verify this. Otherwise it's for people to confidently use <code>catch_unwind</code>.<br>
- Another common practice is to utilize edition 2018's feature <a href="https://doc.rust-lang.org/edition-guide/rust-2018/error-handling-and-panics/aborting-on-panic.html"><code>aborting on panic</code></a>. </p>
</blockquote>
<p>These are actually referring to the same feature, which is not specific to the 2018 edition (despite appearing in the edition guide, which is a recognized point of confusion). The feature causes _all_ uses of <code>panic</code> in a compiled Rust binary (executable) into "abort" statements, causing the program to terminate immediately. A single executable should never have a mix of "abort" <code>panic</code>s and "normal" (unwinding) <code>panic</code>s.</p>
<p><code>catch_unwind</code> can't catch aborts for the simple reason that when a process aborts, it does not check first whether a <code>catch_unwind</code> exists. So when compiled with <code>panic=abort</code>, <code>catch_unwind</code> essentially has no effect. So it is safe to use <code>catch_unwind</code> in libraries, regardless of whether they are used in programs using <code>panic=abort</code> or not.</p>
<p>Regarding clean-up on <code>panic=abort</code>, in most contexts, there is actually no problem with not freeing memory. If your target platform has an operating system, it will automatically free all memory associated with a process once that process terminates. This is part of why it's actually considered safe in Rust to leak memory! There are some resources that _won't_ be cleaned up on some platforms; for instance, I believe that on most file systems, file descriptors can leak, which could be a problem. But I believe it is generally considered safe to abort a process on a "full" (i.e. not real-time) OS, because the OS will usually keep anything too bad from happening.</p>



<a name="211381645"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211381645" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211381645">(Sep 26 2020 at 20:37)</a>:</h4>
<p><span class="user-mention" data-user-id="120076">@BatmanAoD (Kyle Strand)</span> <br>
I used the terminology defined in the workgroup <a href="https://github.com/rust-lang/project-error-handling/blob/master/CHARTER.md">charter</a></p>
<blockquote>
<p>Recoverable error: An error that can be reacted and recovered from when encountered e.g. a missing file.<br>
Unrecoverable error: An error that cannot reasonably be reacted to or recovered from and which indicates a bug e.g. indexing out of bounds.</p>
</blockquote>



<a name="211381700"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211381700" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211381700">(Sep 26 2020 at 20:38)</a>:</h4>
<p>Oh wow! I didn't see that the charter was so fleshed out already. Sorry for missing that context; thanks for pointing me to it!</p>



<a name="211381736"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211381736" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211381736">(Sep 26 2020 at 20:39)</a>:</h4>
<p>Thanks for the detailed explanations. It's true that on a modern OS memory not freed would eventually be recycled by OS. But people may use Rust-FFI for jobs where SECURITY is the top priority</p>



<a name="211381745"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211381745" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211381745">(Sep 26 2020 at 20:39)</a>:</h4>
<p>I would say that the first two bullet points in the "Come to a consensus on current best practices" confirm what you wrote, then, that <code>panic</code> is synonymous with "unrecoverable error", or at least, that by convention they should be treated synonymously.</p>



<a name="211381801"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211381801" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211381801">(Sep 26 2020 at 20:40)</a>:</h4>
<p>Hm. I wouldn't think of memory-cleanup as a security protection. Allocators do not typically _overwrite_ old memory.</p>



<a name="211381805"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211381805" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211381805">(Sep 26 2020 at 20:40)</a>:</h4>
<p>(when freeing it)</p>



<a name="211381832"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211381832" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211381832">(Sep 26 2020 at 20:41)</a>:</h4>
<p>I'm not talking about specific platform or OS, but just generic FFI. For simplicity we can assume it's something like x86_64 *unix. For more specific cases, they may better fit Embedded WG or others.</p>



<a name="211381902"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211381902" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211381902">(Sep 26 2020 at 20:43)</a>:</h4>
<p>So the concern of memory security really troubles people. So if they don't matter due to some of Rust's design or due to guarantees offered by modern OS, I think we should explicit document it.</p>



<a name="211381905"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211381905" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211381905">(Sep 26 2020 at 20:43)</a>:</h4>
<p>Just for references.</p>



<a name="211381958"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211381958" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211381958">(Sep 26 2020 at 20:45)</a>:</h4>
<p>Either way, I don't see a close connection between security-related cleanup and either FFI or error handling in general. I think you're potentially right that for security-critical data, <code>abort</code> might be a dangerous choice, but I don't know enough about the field, and I think that's probably somewhat outside the scope of this group's concerns.</p>



<a name="211382050"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382050" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382050">(Sep 26 2020 at 20:47)</a>:</h4>
<p>I found the security guide from the French spy agency really helpful <a href="https://anssi-fr.github.io/rust-guide/07_ffi.html#memory-and-resource-management">https://anssi-fr.github.io/rust-guide/07_ffi.html#memory-and-resource-management</a></p>



<a name="211382101"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382101" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382101">(Sep 26 2020 at 20:48)</a>:</h4>
<p>Regarding FFI-unwind: our charter is fairly minimal. We are specifically concerned with control-flow constructs that cross between language boundaries, and making sure that the Rust compiler is able to emit code that interacts with these constructs without causing undefined behavior. The connection to error-handling, of course, is that such constructs are usually used for error-handling.</p>
<p>Specifically, our first RFC was to establish a way for C++ exceptions to cross "through" Rust and back into C++, and for Rust <code>panic</code>s to cross "through" C++ and back into Rust. In each case:</p>
<ul>
<li>Resource clean-up via destructors and <code>Drop</code> must happen normally in each language</li>
<li>If the unwinding is recovered from, that must happen in the language where the unwinding originated  (i.e. with <code>catch_unwind</code> for <code>panic</code> or <code>try</code>/<code>catch</code> for exceptions)</li>
</ul>
<p>Our next major effort, I think, will be to specify when it is safe to drop Rust frames without unwinding. This is what happens on most platforms with <code>longjmp</code> (which is true in C++ as well). In general, relying on <code>longjmp</code> should not be considered a "best practice" in Rust, but it's something that we sometimes need to deal with when interfacing with C libraries. Note that there is no way whatsoever for any language to perform cleanup on arbitrary target platforms when C <code>longjmp</code>s through it, so we definitely won't be introducing mechanisms for using <code>Drop</code> types in the presence of <code>longjmp</code>.</p>



<a name="211382124"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382124" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382124">(Sep 26 2020 at 20:49)</a>:</h4>
<p>I agree that for some works maybe memory leak is not a very severe issue. But in some cases, there are strict guidelines developers must comply with if they ever want integration of  Rust-FFI.</p>



<a name="211382125"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382125" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382125">(Sep 26 2020 at 20:49)</a>:</h4>
<p>I think we would never recommend exposing <code>panic</code> across a language boundary as a go-to error-communication mechanism, though.</p>



<a name="211382177"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382177" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382177">(Sep 26 2020 at 20:50)</a>:</h4>
<p>For example, if I want to make an R extension and publish it in CRAN, I think I need to ensure no memory leak. Because CRAN is running multiple tools to check memory leak all the time.</p>



<a name="211382186"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382186" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382186">(Sep 26 2020 at 20:51)</a>:</h4>
<p>Is that still related to error-handling? I'm a little confused.</p>



<a name="211382242"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382242" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382242">(Sep 26 2020 at 20:52)</a>:</h4>
<p>It is. Because if we just let the Rust program panic, without proper handling, then memory could be leaked.</p>



<a name="211382253"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382253" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382253">(Sep 26 2020 at 20:53)</a>:</h4>
<p>That's more about RAII than error-handling.</p>



<a name="211382254"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382254" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382254">(Sep 26 2020 at 20:53)</a>:</h4>
<p>_wondering how old this document from the spy agency you linked is_</p>



<a name="211382262"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382262" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382262">(Sep 26 2020 at 20:53)</a>:</h4>
<p>It's published this year.</p>



<a name="211382263"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382263" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382263">(Sep 26 2020 at 20:53)</a>:</h4>
<p>interesting</p>



<a name="211382264"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382264" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382264">(Sep 26 2020 at 20:53)</a>:</h4>
<p>It's immensely strict</p>



<a name="211382267"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382267" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382267">(Sep 26 2020 at 20:53)</a>:</h4>
<p><code>fn foo_create() -&gt; *mut RawFoo;</code></p>



<a name="211382277"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382277" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382277">(Sep 26 2020 at 20:54)</a>:</h4>
<p>im surprised this isn't something like <code>fn foo_create() -&gt; Option&lt;NonNull&lt;RawFoo&gt;&gt;;</code> or w/e the syntax is</p>



<a name="211382315"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382315" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382315">(Sep 26 2020 at 20:54)</a>:</h4>
<p>keep in mind i've done like no ffi</p>



<a name="211382317"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382317" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382317">(Sep 26 2020 at 20:54)</a>:</h4>
<p>For a state-level adversary, someone must use that level of cautions lol</p>



<a name="211382348"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382348" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382348">(Sep 26 2020 at 20:55)</a>:</h4>
<p>Re: unrecoverable errors and FFI: the "sandbox" approach for <code>panic</code> is almost certainly the only viable (and safe)  global/default approach. In our RFC for cross-language unwinding, we specified that <code>"C"</code> will now <code>abort</code> rather than let a <code>panic</code> cross the boundary. This makes <code>extern "C"</code> functions somewhat "sandbox-like" in that regard.</p>



<a name="211382391"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382391" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382391">(Sep 26 2020 at 20:56)</a>:</h4>
<p>sick</p>



<a name="211382618"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382618" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382618">(Sep 26 2020 at 21:03)</a>:</h4>
<p>Right, we need some guidelines like this. But sometimes abort alone is not enough to prevent memory leak.</p>



<a name="211382666"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382666" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382666">(Sep 26 2020 at 21:04)</a>:</h4>
<p><span class="user-mention" data-user-id="346097">@Lucius Hu</span> in abort you'd still have the chance to run a panic hook, assuming you're aborting via libstd's aborting infrastructure</p>



<a name="211382668"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382668" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382668">(Sep 26 2020 at 21:04)</a>:</h4>
<p>i think</p>



<a name="211382669"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382669" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382669">(Sep 26 2020 at 21:04)</a>:</h4>
<p>let me double check</p>



<a name="211382670"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382670" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382670">(Sep 26 2020 at 21:04)</a>:</h4>
<p>In many cases one side of FFI boundary, either Rust or C, may need to manually call the destructor to free the memory. The problem of both abort and panic is that, if that ever happens, the program may not get the chance to call the destructor.</p>



<a name="211382682"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382682" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382682">(Sep 26 2020 at 21:05)</a>:</h4>
<p>I guess my summary would be that FFI-unwind is (currently) for dealing with the messy realities of systems programming as it exists today, where C is the lingua franca, so there is no language-level mechanism for handling errors, much less for distinguishing recoverable from non-recoverable errors. In this context, our job is mostly to "protect" Rust from C, and vice-versa.</p>
<p>For less "antagonistic" cross-language error handling, I think we rely somewhat on the progress of some broader efforts in this direction:</p>
<ul>
<li>For "traditional" systems programming, the C and C++ communities have started collaborating a bit on sketching out what cross-language error handling might look like. The latest paper I've seen on this topic is here: <a href="http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2429.pdf">http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2429.pdf</a></li>
<li>For target platforms of the future, I think WebAssembly Interface Types seem promising, and I hope that they include some built-in notion of error handling. <a href="https://hacks.mozilla.org/2019/08/webassembly-interface-types/">https://hacks.mozilla.org/2019/08/webassembly-interface-types/</a></li>
</ul>



<a name="211382750"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382750" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382750">(Sep 26 2020 at 21:06)</a>:</h4>
<p>Yep there are some facilities for that. But we need to document and summarize them.</p>



<a name="211382752"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382752" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382752">(Sep 26 2020 at 21:06)</a>:</h4>
<p><span class="user-mention silent" data-user-id="346097">Lucius Hu</span> <a href="#narrow/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context/near/211382317">said</a>:</p>
<blockquote>
<p>For a state-level adversary, someone must use that level of cautions lol</p>
</blockquote>
<p>why is encrypted memory not being used in the first place, or if it is, is there _really_ any distinction between memory that has been cleared and hasn't?</p>



<a name="211382818"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382818" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382818">(Sep 26 2020 at 21:09)</a>:</h4>
<p>ok, for example, though it's not related to Rust, one way of hacking MacBook is to dump the memory. Because in hibernation the memory still posses data which could be highly sensible. Clearly it's not feasible to encrypt all the memory right</p>



<a name="211382871"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382871" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382871">(Sep 26 2020 at 21:10)</a>:</h4>
<p>Fair, I guess we're still a couple years away from memory controllers in conventional laptops having ability to encrypt _all_ memory.</p>



<a name="211382887"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382887" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382887">(Sep 26 2020 at 21:11)</a>:</h4>
<p>In many scenarios we can not assume the underlying infrastructure has encryption, that's why we need extra effort to ensure no memory leak in the first place</p>



<a name="211382895"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382895" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382895">(Sep 26 2020 at 21:11)</a>:</h4>
<p>This is something that is available in server-chip space (e.g. as implemented by EPYCs) and I remember seeing embedded chips that have this functionality too.</p>



<a name="211382896"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382896" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382896">(Sep 26 2020 at 21:11)</a>:</h4>
<p>this is seeming more and more like a security topic that happens to intersect with error handling than something that is _about_ error handling</p>



<a name="211382951"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382951" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382951">(Sep 26 2020 at 21:12)</a>:</h4>
<p>yeah my bad ^^, feel free to split out the messages into a topic in <a class="stream" data-stream-id="122651" href="/#narrow/stream/122651-general">#general</a></p>



<a name="211382953"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382953" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382953">(Sep 26 2020 at 21:12)</a>:</h4>
<p>no i dont think its you specifically, just the entire conversation has been drifting this way</p>



<a name="211382954"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382954" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382954">(Sep 26 2020 at 21:12)</a>:</h4>
<p>so I agree that we have many ways to ensure securities or let the OS recycle leaked memory. But it's best we can do as good as we can so we don't need those alternative approaches</p>



<a name="211382964"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382964" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382964">(Sep 26 2020 at 21:13)</a>:</h4>
<p><span class="user-mention silent" data-user-id="346097">Lucius Hu</span> <a href="#narrow/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context/near/211382954">said</a>:</p>
<blockquote>
<p>so I agree that we have many ways to ensure securities or let the OS recycle leaked memory. But it's best we can do as good as we can so we don't need those alternative approaches</p>
</blockquote>
<p>this seems quite reasonable, the point I'm making though is I don't think it makes sense for the error handling project group in particular to oversee this work</p>



<a name="211382967"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382967" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382967">(Sep 26 2020 at 21:13)</a>:</h4>
<p>well to return to the topic, if we don't properly manage the "unrecoverable error", bad things could happen</p>



<a name="211382968"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382968" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382968">(Sep 26 2020 at 21:13)</a>:</h4>
<p>to me this seems more suited to an independent RFC</p>



<a name="211382987"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211382987" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211382987">(Sep 26 2020 at 21:14)</a>:</h4>
<p>im not sure if theres a security wg of some sort</p>



<a name="211383014"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383014" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383014">(Sep 26 2020 at 21:14)</a>:</h4>
<p>i know theres the unsafe code guidelines wg</p>



<a name="211383016"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383016" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383016">(Sep 26 2020 at 21:14)</a>:</h4>
<p><a class="stream" data-stream-id="146229" href="/#narrow/stream/146229-wg-secure-code">#wg-secure-code</a> probably</p>



<a name="211383036"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383036" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383036">(Sep 26 2020 at 21:15)</a>:</h4>
<p>cc <span class="user-mention" data-user-id="132721">@Tony Arcieri</span></p>



<a name="211383041"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383041" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383041">(Sep 26 2020 at 21:15)</a>:</h4>
<p>there could be thousands of ways to cause a security breach, for this WG specifically, I think we need guidelines and documentations</p>



<a name="211383046"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383046" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383046">(Sep 26 2020 at 21:15)</a>:</h4>
<p>ohai</p>



<a name="211383090"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383090" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383090">(Sep 26 2020 at 21:16)</a>:</h4>
<p>to summarize the backscroll, we're talking about the security implementations of panics and ffi</p>



<a name="211383091"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383091" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383091">(Sep 26 2020 at 21:16)</a>:</h4>
<p>aah</p>



<a name="211383093"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383093" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383093">(Sep 26 2020 at 21:16)</a>:</h4>
<p>and I think this might be more up your alley than mine</p>



<a name="211383096"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383096" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383096">(Sep 26 2020 at 21:17)</a>:</h4>
<p>so I'm not proposing that we need to invent additional stuff to ensure security, which is clearly not related to the WG. But since this WG is for generic error-handling, I think it fits to include guidelines for error-handling in FFI context</p>



<a name="211383097"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383097" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383097">(Sep 26 2020 at 21:17)</a>:</h4>
<p>especially since you got that zeroize crate</p>



<a name="211383101"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383101" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383101">(Sep 26 2020 at 21:17)</a>:</h4>
<p>seems very relevant</p>



<a name="211383103"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383103" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383103">(Sep 26 2020 at 21:17)</a>:</h4>
<p>so uhh, I'm not sure how much I can talk about here, but Google is working on some cool stuff in LLVM</p>



<a name="211383107"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383107" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383107">(Sep 26 2020 at 21:17)</a>:</h4>
<p>and yes I wrote <code>zeroize</code> but we can do a lot better <span aria-label="sweat smile" class="emoji emoji-1f605" role="img" title="sweat smile">:sweat_smile:</span></p>



<a name="211383152"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383152" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383152">(Sep 26 2020 at 21:18)</a>:</h4>
<p>the idea I like the most is, for a lack of a better term, "stack bleaching" which is something being used a bit in the Linux kernel but also potentially possible with LLVM even across FFI boundaries</p>



<a name="211383161"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383161" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383161">(Sep 26 2020 at 21:18)</a>:</h4>
<p>the general idea is you decide you begin an operation with transient secrets on the stack, and the hard part is calculating the high watermark on the stack</p>



<a name="211383168"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383168" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383168">(Sep 26 2020 at 21:19)</a>:</h4>
<p>and once the entire set of operations is done, you zero the stack up to the high watermark</p>



<a name="211383171"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383171" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383171">(Sep 26 2020 at 21:19)</a>:</h4>
<p><span class="user-mention silent" data-user-id="346097">Lucius Hu</span> <a href="#narrow/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context/near/211383096">said</a>:</p>
<blockquote>
<p>so I'm not proposing that we need to invent additional stuff to ensure security, which is clearly not related to the WG. But since this WG is for generic error-handling, I think it fits to include guidelines for error-handling in FFI context</p>
</blockquote>
<p>aah, okay that sounds fine. I think if we end up writing an error handling book that might be a good place to put guidelines about ffi memory safety concerns around error handling</p>



<a name="211383177"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383177" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383177">(Sep 26 2020 at 21:19)</a>:</h4>
<p>I'll have to defer to you on writing those guidelines though, but I'll be happy to review any chapters you contribute as much as I am able</p>



<a name="211383180"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383180" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383180">(Sep 26 2020 at 21:19)</a>:</h4>
<p>Hi Tony, my intention is, providing guidelines to better manage errors in FFI context, so we may not even need to deal with so much complications</p>



<a name="211383182"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383182" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383182">(Sep 26 2020 at 21:19)</a>:</h4>
<p><code>zeroize</code> is kind of a hack to accomodate what is possible in stable Rust today</p>



<a name="211383227"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383227" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383227">(Sep 26 2020 at 21:20)</a>:</h4>
<p>It's best if there's no error. If there is, it's best it's recoverable. If it's unrecoverable, it's best we "sandbox" it so we can gracefully do the clean up.</p>



<a name="211383228"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383228" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383228">(Sep 26 2020 at 21:20)</a>:</h4>
<p>yeah I'm not sure exactly what you need here per se. if there were really secrets on the stack, stack bleaching is probably the best option, otherwise I'm not sure what else you can do</p>



<a name="211383234"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383234" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383234">(Sep 26 2020 at 21:21)</a>:</h4>
<p>If otherwise, then things gets really complicated.... And that's where I want to avoid</p>



<a name="211383235"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383235" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383235">(Sep 26 2020 at 21:21)</a>:</h4>
<p>yeah exactly</p>



<a name="211383241"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383241" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383241">(Sep 26 2020 at 21:21)</a>:</h4>
<p>the nice thing about the stack bleaching approach is it's actually relatively simple and works cleanly across FFI boundaries, at least in the context of LLVM-compiled languages</p>



<a name="211383284"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383284" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383284">(Sep 26 2020 at 21:22)</a>:</h4>
<p>but when and if it hits mainline LLVM... TBD</p>



<a name="211383286"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383286" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383286">(Sep 26 2020 at 21:22)</a>:</h4>
<p><span class="user-mention silent" data-user-id="346097">Lucius Hu</span> <a href="#narrow/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context/near/211383227">said</a>:</p>
<blockquote>
<p>It's best if there's no error. If there is, it's best it's recoverable. If it's unrecoverable, it's best we "sandbox" it so we can gracefully do the clean up.</p>
</blockquote>
<p>regarding this point, it seems like the ffi unwind group's current plans cover this</p>



<a name="211383287"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383287" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383287">(Sep 26 2020 at 21:22)</a>:</h4>
<p>and then there's Cranelift to think about</p>



<a name="211383294"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383294" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383294">(Sep 26 2020 at 21:22)</a>:</h4>
<p>the unwinding panic turns into an abort if it hits a c boundary and isn't caught with catch::unwind</p>



<a name="211383296"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383296" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383296">(Sep 26 2020 at 21:23)</a>:</h4>
<p>but you're still already doing the proper unwinding all the way up to that point</p>



<a name="211383306"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383306" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383306">(Sep 26 2020 at 21:23)</a>:</h4>
<p>with the ability to setup your panic hook and catch it as you see fit to secure the memory</p>



<a name="211383308"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383308" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383308">(Sep 26 2020 at 21:23)</a>:</h4>
<p>that sounds great I will take a look</p>



<a name="211383366"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383366" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383366">(Sep 26 2020 at 21:24)</a>:</h4>
<p>but in the meantime, I'm not sure when their efforts will materialize...</p>



<a name="211383519"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383519" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383519">(Sep 26 2020 at 21:29)</a>:</h4>
<p>so even if their FFI unwinding mechanism cannot be completed, with careful handling of errors we can still do something to mitigate the risk of memory leak, with the existing features of Rust</p>



<a name="211383587"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383587" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383587">(Sep 26 2020 at 21:31)</a>:</h4>
<p>In my view that's also the value of error-handling. Although there are multiple ways to deal with the same problem ( e.g. memory leak ), it's best if we do it right in every aspect</p>



<a name="211383638"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383638" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lucius Hu <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383638">(Sep 26 2020 at 21:32)</a>:</h4>
<p>so they keep making their FFI unwind, and we could also contain the risk with good error handling</p>



<a name="211383755"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383755" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383755">(Sep 26 2020 at 21:36)</a>:</h4>
<p><span class="user-mention silent" data-user-id="220273">Jane Lusby</span> <a href="#narrow/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context/near/211383286">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="346097">Lucius Hu</span> <a href="#narrow/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context/near/211383227">said</a>:</p>
<blockquote>
<p>It's best if there's no error. If there is, it's best it's recoverable. If it's unrecoverable, it's best we "sandbox" it so we can gracefully do the clean up.</p>
</blockquote>
<p>regarding this point, it seems like the ffi unwind group's current plans cover this</p>
</blockquote>
<p>My only caveat would be that the development and communication of best practices would probably fall more in this group's purview than in FFI-unwind's. But yes, the RFC does specify a way to sandbox panics! I think we would also like to add some additional "sandboxing" features, but that starts to creep into effects-algebra territory, which is much broader.</p>



<a name="211383775"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383775" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383775">(Sep 26 2020 at 21:37)</a>:</h4>
<p><span class="user-mention silent" data-user-id="346097">Lucius Hu</span> <a href="#narrow/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context/near/211383519">said</a>:</p>
<blockquote>
<p>so even if their FFI unwinding mechanism cannot be completed, with careful handling of errors we can still do something to mitigate the risk of memory leak, with the existing features of Rust</p>
</blockquote>
<p>This is absolutely true. I think it would be entirely reasonable for a security-conscientious app to have a stack-bleach followed by <code>abort</code> inside a <code>catch_unwind</code> at the top of every <code>extern "C"</code> function. It's noisy, but it's safe.</p>



<a name="211383837"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/257204-project-error-handling/topic/Error-Handling%20in%20FFI%20context/near/211383837" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jane Lusby <a href="https://rust-lang.github.io/zulip_archive/stream/257204-project-error-handling/topic/Error-Handling.20in.20FFI.20context.html#211383837">(Sep 26 2020 at 21:39)</a>:</h4>
<p>that sounds sick</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>